Network Capture Prioritization 


When planning a network capture, consider the 
following order of preference to ensure the highest- 
fidelity evidence acquisition: 

e Network tap at link speed 

e Port mirror (SPAN Port) on switch 

e Network tap at less than link speed 


Remember that the interception of other individuals’ 
data is considered an invasion of privacy (or is flat out 
illegal) in many countries. Check before you capture — 
involve the legal team early! 


As with any evidence, safeguard the network captures 
carefully, as 1t could contain sensitive information such 
as PII, PCI, HIPAA, or other regulated/privileged data. 


Correlating Evidence Sources 


Obtain a network diagram so you know what is located 
where both physically and logically. 


DHCP and DNS logs often contain helpful evidence that 
can establish a better understanding of other evidence. 
For example, knowing the hostname a client system 
looked up immediately before establishing an SSL 
connection can be invaluable. 


e DNS query logs for domains looked up from 
within the environment 
e DHCP lease logs map MAC addresses to IPs 


Things to Remember 


If you have prepared the environment ahead of an 
incident, the evidence will be there and waiting for 
collection. If you rush, you might destroy the evidence 
or otherwise negatively affect its credibility. 


Don’t rush or panic! 





Typical tcpdump Capture Options 


Identify available capture interfaces: 
S sudo tcpdump -D 


Prevent DNS and service name lookups: 
S sudo tcpdump -nn 


Capture on interface “ethO”, write to file 


“output .pcap” 
S sudo tcpdump -nn -i ethO -w output.pcap 


Capture only first 56 bytes of each frame — enough to 
cover the IP header and typical TCP header. (a.k.a. 


“snaplen of 56”.) 
S sudo tcpdump -nn -i ethO \ 
-w output.pcap -s 56 


Attempt to capture the entire contents of each packet 
(a.k.a “‘snaplen zero”’.) 
$ sudo tcpdump -nn -i ethO \ 
-w output.pcap -s 0 
Use a filesize-based “ring buffer” of 10 files, LOOMB 
each. Overwrite oldest file after 10 files have been 
created. Second and later output files will have a digit 
appended to the filename (e.g. “output .pcap0”, 
output.pcapl”, etc.). 
S sudo tcpdump -nn -i ethO \ 
-w output.pcap -C 100 -W 10 


Use a time-based ring buffer with 14 files, which 
contain 12 hours (43,200 seconds). Overwrite oldest 
file after 10 files have been created. Filenames will 


contain appended digits as described above. 
S$ sudo tcpdump -nn -i ethO \ 
-w output.pcap -G 43200 -W 14 


NOTE: Not all tcpdump versions and distributions 
provide all options. Verify capture commands before 
running them! 
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Purpose 


This sheet covers the various locations where evidence 
to assist in an investigation may be located. 


Identity the timeserver, time zone & skew: For Windows 
2000 and 2003 systems: 
C:\> net time 


From Windows 2008, 7 and 8 
C:\> w32tm /query / source 


If the service is not running, pull from the registry: 
C:\> w32tm /dumpreg 


To identify the system’s time zone: 
C:\> w32tm /tz 


In Linux, OS X, and other Unix-like systems display 
UTC with the following command: 
S date -u 


Be careful if you are root — this command can also reset 
the system time! 





Exporting NetFlow Data 


fprobe can be used to export NetFlow data from a 
Linux/Unix-like host to a collector (specified by IP) 


S £probe -i ethO -f 'ip' 192.168.1.15:9995 


Capturing Exported NetFlow Data 


nfcapd is a NetFlow capture daemon. 
S$ nficapd -p 9995 -4 -w -D \ 
-n <host_id>,<exporter_IP>, /path/to/dir 
Specify the storage directory naming convention with 
the —S switch — see the man page for available formats. 


nfdump Input and Time Slicing 


nfdump can read from one or more files, or a directory 
tree full of files. 


-r <f£11lename> 
-R <list of files or directories> 


To limit a query to a specific time frame, use the -t 
switch with times specified as 
“YYYY/MM/dd.hh:mm:ss”. Lower-order time 
components may be omitted (e.g. “YY /MM/dd” for day- 
level granularity). 


-t '<starttime>[-<endtime>] ' 


nfdump Output Formats 


There are several pre-defined output formats plus a 
custom formatting option. Use the —o switch to specify. 


-o line (default) One flow per line 
-o long One line per flow with TCP 
flags and TOS values 
extended One line per flow with TCP 
flags, TOS, packets/sec, 
bits/sec, and bits/packet values 
All values displayed in CSV 





nfdump Output Formats, Cont. 


A number of format strings can be used with nfdump 
to change how the output is displayed 


S nfdump -r <in file> -o "fmt:<fmt str>" 


% Start Time Sin Input Int Num 
End Time Sout Output Int num 
Duration Spkt Packets 
Protocol Sbyt Bytes 

sa Src Address S£1 HElows 

da Dst Address Spkt Packets 

sap Src Address:Port %f1lg TCP Flags 

dap Dst Address:Port %tos Type of service 

sp Src Port %bps_ bits/second 
dp  Dst Port Spps_ packets/second 
sas Src AS Sbpp bits/packet 
das Dst AS 


Use this option to generate custom CSV, which can be 
imported to other tools for processing or visualization. 


S$ nfdump -r <in file(s)> \ 
-o "fmt:spkt,%sa,sda" > netflow.csv 


Aggregate output records: 


Aggregate by the standard NetFlow 5-tuple 
(proto, srcip, dstip, srcport, and dstport) 
Automatic bidirectional aggregation 
Semi-intelligent bidirectional aggregation 
(tries to identify client and server based on 
port >1024) 

Custom aggregation fields — see man page 


View the “topN” talkers to identify the noisiest IPs by 
flow count. (See the man page for additional statistic 
calculations and ordering options to the —s switch.) 


S$ nfdump -r <in file(s)> -s ip/flows -n 10 
Display a limited number of records with the —c switch. 


S nfidump -r <in file(s)> -c <record_limit> 
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Wireless 


For Wireless networks investigations, supplement 
standard log data with Wireless DHCP Servers logs, 
Wireless IDS Logs, Access Point Logs, and Wireless 
LAN Controller logs, and client logs: 


In Apple OS X: 
e In the Console application, search all 
messages for ‘airport’ 


In Windows 7 and later, use Event Viewer to obtain the 
Operational log from: 

Applications and Service Logs -> Microsoft -> 
Windows -> WLAN-AutoConfig 


In Linux and other Unix-like OSes examine the files in 
the /var/1log/ directory. 


Switches 


For localized incidents, switching equipment can be 
incredibly revealing. Focus on the following: 

e Switch CAM Tables to map MACs to Ports 

e Switch OS version and patch levels 

e Switch live port status 

e Switch port configuration (VLAN, SPAN/Port 

mirroring, etc.) 
e Switch ACLs 


This evidence can quickly lead the investigator to the 
physical network segment or device responsible for 
anomalous or suspicious activity. 





